[PATCH 1/1] 802.1X: validate input before pointer

Jouni Malinen j at w1.fi
Mon Sep 25 13:38:13 PDT 2017

On Fri, Aug 18, 2017 at 01:14:28AM +0200, Michael Braun wrote:
> ieee802_1x_kay_decode_mkpdu calls ieee802_1x_mka_i_in_peerlist before
> body_len has been checked on all segments.
> ieee802_1x_kay_decode_mkpdu and ieee802_1x_mka_i_in_peerlist might
> continue and thus underflow left_len even if it finds left_len to small
> (or before checking).
> Additionally, ieee802_1x_mka_dump_peer_body might perform out of bound
> reads in this case.
> Fix this by checking left_len and aborting if too small early.

Thanks, applied.
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list